The Irony of Passwords
A chronology of protective technologies making life miserable one improvement at a time.
Once upon a time,
on a planet not unlike this one, everyone used the password “123456” for literally everything, from the combination lock on their briefcase to their ICQ account.
On the rare occasion when someone actually bothered hacking an account, they usually managed to just guess the password. This mildly annoyed the account owners, but then again, the potential damage was rather limited. At worst, the hacker would send an ICQ message to your high-school crush…
So, people only made their passwords ever-so-slightly more complex. “123456” became “123456abc”. While such passwords seemed idiotic, they were exponentially harder to guess, and for a time, all was well.
New risks, new measures
As the years progressed, the web was starting to be used for more sensitive tasks, like banking and investing, which presented a real incentive for breaking into user accounts. The use of brute force hacking tools became more prevalent, and passwords needed to become harder to guess – for machines as well as humans. When your bank launched their first website (which probably hasn’t been upgraded since then…), you already needed to pick a password consisting of numbers, lower-case letters and upper-case letters, which was considered revolutionary at the time.
In parallel, a more elegant solution emerged: two-factor authentication (or 2FA, as it’s affectionately called by the tech savvy). Here is where things got interesting.
Two-factor authentication works on the assumption that no password is truly safe. This is a radical way of thinking, as most services limit the number of login attempts, which makes even a simple password difficult to crack by brute force. Still, a hacker may somehow record your keystrokes, or the password database may leak, or God knows what. 2FA adds a strong layer of protection: Even if a hacker has your password, they still need physical access to your phone to get a verification code.
Theoretically, this should have ended the race for increasingly complex passwords. But 2FA is bothersome for users, and for years it was kept optional on most services. Meanwhile, the rest of the users still needed protection, and the password marathon went on in full force. Special characters were thrown into the mix. Soon, every website and app – from banks, to social networks, to food delivery services – has adopted the strictest standards for password complexity.
There is a lot to be said about the common methodology for making passwords more complex, and thankfully, it has already been said by people smarter than I, like Randall Munroe of the XKCD comics:
Well, I don’t know anything about entropy, but to me both passwords seem difficult to crack – and to remember. In fact, if you use different passwords for different services (as you should, children!), remembering all of them is pretty impossible.
Your session has timed out
To make matters even more annoying.. err, sorry, more secure, high-risk services (like banks and P2P platforms) implement yet another protective measure: automatic session timeout. If you don’t use your account for a few minutes, you are automatically logged out, and need to reenter your password to log back in.
Mind the gap
Ironically, these protective measures – complex passwords which need to be typed again and again – have led to wide adoption of the browser’s auto-fill function, which basically serves your passwords on a silver platter to anyone who physically steals your device, as your details are already typed in each login screen…
In other words: Your account may be protected by a 16-digit password, and two-factor authentication, and your session times out automatically… but if a Golden Retriever accidentally steps on your phone, it will just log back into the super-secure app.
Of course, there is a way to protect against thieves and Golden Retrievers… You guessed it: setting up yet another password to unlock your phone!
La Double Protection (don’t Google it.)
Digital banking service Paysera has gone yet a step further. To use their 2-factor authentication, you need to download their app, set a PIN, type your login details on the computer, unlock the phone app with the PIN, match the number on your computer screen with that on your phone, swipe right – and voilà, you’re logged in. Good luck to a thief trying to hack this mess while sprinting away with your phone!
Then again, good luck to you trying to regain access to your account if you have 2FA activated and your phone was stolen. After completing the necessary security procedures, you may wish that the robber had just killed you instead.
What does the future hold?
Most likely, biometric authentication methods would eventually render all other methods obsolete. Of course, to ensure maximum security, your fingerprints will probably be used in combination with your retina scans, 25-digit passwords, 3 SMS codes, 2 authenticator apps, a PIN, and a signed letter from God permitting you to access your account. Every. Damn. Time.
* * *
This article is largely humorous; its historic and technological descriptions aren’t accurate and should be taken with a grain of salt. It does, however, set the ground for a more serious article I’m working on, related to information security on P2P platforms. Stay tuned.